0

the finger man page says I need to use chmod to give the home directory the "other-users-execute bit set", in order to restrict finger requests to only those that original from the local host as a security measure,but I cant find that in the chmod man page, is this very straight forward or is there other material I need to cover to understand what is happening there?

Improve this question
0

1 Answer 1

Reset to default
2

The context here is presumably this section of the finger manpage:

~/.nofinger

If finger finds this file in a user's home directory, it will, for finger requests originating outside the local host, firmly deny the existence of that user. For this to work, the finger program, as started by fingerd(8), must be able to see the .nofinger file. This generally means that the home directory containing the file must have the other-users-execute bit set (o+x). See chmod(1). If you use this feature for privacy, please test it with “finger @localhost” before relying on it, just in case.

Once you know how chmod works, this tells you what to do: chmod o+x /path/to/home/directory. As a regular user, you can do this as follows:

cd
chmod o+x .

Root can change all home directories:

sudo chmod o+x /home/*/

In the GNU chmod manpage, the following paragraphs explain this:

The format of a symbolic mode is [ugoa...][[-+=][perms...]...], where perms is either zero or more letters from the set rwxXst, or a single letter from the set ugo. Multiple symbolic modes can be given, separated by commas.

A combination of the letters ugoa controls which users' access to the file will be changed: the user who owns it (u), other users in the file's group (g), other users not in the file's group (o), or all users (a). If none of these are given, the effect is as if (a) were given, but bits that are set in the umask are not affected.

The operator + causes the selected file mode bits to be added to the existing file mode bits of each file; - causes them to be removed; and = causes them to be added and causes unmentioned bits to be removed except that a directory's unmentioned set user and group ID bits are not affected.

The letters rwxXst select file mode bits for the affected users: read (r), write (w), execute (or search for directories) (x), execute/search only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s), restricted deletion flag or sticky bit (t). Instead of one or more of these letters, you can specify exactly one of the letters ugo: the permissions granted to the user who owns the file (u), the permissions granted to other users who are members of the file's group (g), and the permissions granted to users that are in neither of the two preceding categories (o).

Improve this answer
6
  • That's not really quite correct. The finger daemon runs without any special permissions, so chmod o+x only facilitates fingerd if the previous permissions were o=. This can vary from system to system, or by Linux distribution. Commented Sep 8, 2020 at 12:07
  • @roaima I’m afraid I don’t understand what you’re saying. chmod o+x sets the bit in any case; so after it’s run, fingerd will be able to check for the existence of .nofinger, irrespective of what the permissions were before (and yes, fingerd might have already been able to do this). Commented Sep 8, 2020 at 12:09
  • 1
    If the permissions were already o=rx (as on Debian, for example) then the chmod operation is a no-op. However, on RHEL-derived systems IIRC the default is o= so the chmod o+x is necessary for fingerd to be able to search for the file ~/.nofinger Commented Sep 8, 2020 at 12:10
  • Yes, but I still don’t understand how that makes the answer (or the manpage) “not really quite correct”. It’s just as easy to run chmod o+x as it is to check for the permission before deciding whether to run chmod o+x, isn’t it? And in any case, chmod o+x results in a configuration which works — which doesn’t say anything about whether it worked before the chmod. Commented Sep 8, 2020 at 12:13
  • shortly after posting this question I found this page which is proving to also be very helpful heather.cs.ucdavis.edu/~matloff/UnixAndC/CLanguage/… Commented Sep 8, 2020 at 12:18

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.